Cyber Incident Victim: Tennessee Orthopaedic Clinics
Date:
Mar 2023
Location:
United States of America
Summary
Tennessee Orthopaedic Clinics experienced unauthorized access to certain IT systems, excluding its electronic medical records, during which an attacker potentially obtained patient information, including names, contact details, dates of birth, diagnosis and treatment data, provider names, dates and costs of services, prescriptions, insurance information, and for some individuals, Social Security numbers. The organization secured its systems, engaged third-party investigators, and confirmed the breach after completing a file review, prompting notifications to affected patients and the implementation of enhanced security measures; complimentary credit monitoring was offered to those with exposed Social Security numbers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Tennessee Orthopaedic Clinics (TOC) detected unusual activity on its IT systems in March 2023, prompting an immediate response to secure the affected network segments. A third-party forensic investigation confirmed an unauthorized actor accessed portions of TOC's systems between March 20 and March 24, 2023, though the electronic medical records system remained unaffected. During this four-day breach window, the intruder potentially accessed or exfiltrated files containing confidential patient information. By May 2, 2023, TOC verified the compromise of sensitive data categories including names, contact details, dates of birth, patient account numbers, diagnosis and treatment histories, provider names, treatment facility information, service dates, service costs, prescription data, and health insurance details. For a subset of patients, Social Security numbers were also exposed. The organization formally reported the incident to the HHS Office for Civil Rights listing 500 affected individuals as an initial placeholder—a common practice during ongoing forensic reviews to meet regulatory deadlines while verification continues.
TOC completed its file analysis on July 5, 2023, confirming the full scope of compromised data, though the final number of impacted patients was not publicly disclosed in available sources. The clinic began mailing physical notification letters to affected patients on July 14, 2023, with significant delays attributed to the forensic review process. Impacted individuals received guidance to scrutinize medical statements for unrecognized services, while those with exposed Social Security numbers were offered complimentary Experian credit monitoring. Operational disruptions occurred during containment efforts and system lockdowns, though specific details regarding care delivery interruptions were not outlined in disclosures. In response to the incident, TOC implemented additional technical safeguards and security monitoring protocols, while establishing a dedicated toll-free call center operational Monday-Friday to handle patient inquiries related to the breach. The organization emphasized continued operations across its nine Tennessee facilities throughout the incident lifecycle.